b435d144865fbb2f05fc13239fe1cf8445853761d351d76ba440cc43df76d02d

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Size

10.0MB
MD5

27b212a4dd85e1489a319e5bffb8e8e4
SHA1

f9ce83e4558a068ed6392eeb56c8d24fd7d491b8
SHA256

b435d144865fbb2f05fc13239fe1cf8445853761d351d76ba440cc43df76d02d
SHA512

36119d9086798196338472164d9aed832c3bce733a5b3b66fa79e25c3826be52d9d47379e7bc1ad97b9d980fef2b27f22520a17b90759ef351e746602b1cbd62
SSDEEP

98304:9OIT75iBU3es/zYKQphi4v0tEpYJCvVn/IHqudk5K35KFhcaP2rzzALYlz1ELvR+:sIT+k/nIBvt0dkAJK+ALYCt+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
3052	alg.exe
1620	aspnet_state.exe
1716	mscorsvw.exe
2468	mscorsvw.exe
2836	mscorsvw.exe
1496	mscorsvw.exe
2776	ehRecvr.exe
616	ehsched.exe
1720	elevation_service.exe
2912	mscorsvw.exe
1892	IEEtwCollector.exe
2900	GROOVE.EXE
1676	mscorsvw.exe
3008	maintenanceservice.exe
2428	msiexec.exe
996	OSE.EXE
1740	OSPPSVC.EXE
1196	perfhost.exe
856	locator.exe
1724	snmptrap.exe
2144	vds.exe
696	vssvc.exe
1648	mscorsvw.exe
2944	wbengine.exe
3024	WmiApSrv.exe
1688	wmpnetwk.exe
1920	SearchIndexer.exe
2484	mscorsvw.exe
2692	mscorsvw.exe
2936	mscorsvw.exe
1532	mscorsvw.exe
3016	mscorsvw.exe
2220	mscorsvw.exe
1864	mscorsvw.exe
2084	mscorsvw.exe
1480	mscorsvw.exe
2000	mscorsvw.exe
1960	mscorsvw.exe
1576	mscorsvw.exe
896	mscorsvw.exe
2936	mscorsvw.exe
2360	mscorsvw.exe
972	mscorsvw.exe
1948	mscorsvw.exe
1960	mscorsvw.exe
2300	mscorsvw.exe
2444	mscorsvw.exe
1748	mscorsvw.exe
868	mscorsvw.exe
1732	mscorsvw.exe
2332	mscorsvw.exe
1056	mscorsvw.exe
1928	mscorsvw.exe
1636	mscorsvw.exe
1892	mscorsvw.exe
2088	mscorsvw.exe
1044	mscorsvw.exe
2616	mscorsvw.exe
2008	mscorsvw.exe
1536	mscorsvw.exe
1424	mscorsvw.exe
2160	mscorsvw.exe
1652	mscorsvw.exe

Loads dropped DLL 23 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2428	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found
1636	mscorsvw.exe
1636	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb4b0a2e5465f8f4.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\chrome_installer.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3DFA.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP36BA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2C9C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP44DD.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000207f0ca6a176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080ed56aba176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040886ea2a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000208a1fa6a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002069e6a5a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2360	ehRec.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
1620	aspnet_state.exe
1620	aspnet_state.exe
1620	aspnet_state.exe
1620	aspnet_state.exe
1620	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: 33	1040	EhTray.exe
Token: SeIncBasePriorityPrivilege	1040	EhTray.exe
Token: SeDebugPrivilege	2360	ehRec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeSecurityPrivilege	2428	msiexec.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: 33	1040	EhTray.exe
Token: SeIncBasePriorityPrivilege	1040	EhTray.exe
Token: SeBackupPrivilege	696	vssvc.exe
Token: SeRestorePrivilege	696	vssvc.exe
Token: SeAuditPrivilege	696	vssvc.exe
Token: SeBackupPrivilege	2944	wbengine.exe
Token: SeRestorePrivilege	2944	wbengine.exe
Token: SeSecurityPrivilege	2944	wbengine.exe
Token: 33	1688	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1688	wmpnetwk.exe
Token: SeManageVolumePrivilege	1920	SearchIndexer.exe
Token: 33	1920	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1920	SearchIndexer.exe
Token: SeDebugPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	2204	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeDebugPrivilege	1620	aspnet_state.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1040	EhTray.exe
1040	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1040	EhTray.exe
1040	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2912	1496	mscorsvw.exe	39
PID 1496 wrote to memory of 2912	1496	mscorsvw.exe	39
PID 1496 wrote to memory of 2912	1496	mscorsvw.exe	39
PID 1496 wrote to memory of 1676	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 1676	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 1676	1496	mscorsvw.exe	43
PID 2836 wrote to memory of 1648	2836	mscorsvw.exe	53
PID 2836 wrote to memory of 1648	2836	mscorsvw.exe	53
PID 2836 wrote to memory of 1648	2836	mscorsvw.exe	53
PID 2836 wrote to memory of 1648	2836	mscorsvw.exe	53
PID 1920 wrote to memory of 1368	1920	SearchIndexer.exe	60
PID 1920 wrote to memory of 1368	1920	SearchIndexer.exe	60
PID 1920 wrote to memory of 1368	1920	SearchIndexer.exe	60
PID 2836 wrote to memory of 2484	2836	mscorsvw.exe	61
PID 2836 wrote to memory of 2484	2836	mscorsvw.exe	61
PID 2836 wrote to memory of 2484	2836	mscorsvw.exe	61
PID 2836 wrote to memory of 2484	2836	mscorsvw.exe	61
PID 1920 wrote to memory of 2676	1920	SearchIndexer.exe	62
PID 1920 wrote to memory of 2676	1920	SearchIndexer.exe	62
PID 1920 wrote to memory of 2676	1920	SearchIndexer.exe	62
PID 2836 wrote to memory of 2692	2836	mscorsvw.exe	63
PID 2836 wrote to memory of 2692	2836	mscorsvw.exe	63
PID 2836 wrote to memory of 2692	2836	mscorsvw.exe	63
PID 2836 wrote to memory of 2692	2836	mscorsvw.exe	63
PID 2836 wrote to memory of 2936	2836	mscorsvw.exe	64
PID 2836 wrote to memory of 2936	2836	mscorsvw.exe	64
PID 2836 wrote to memory of 2936	2836	mscorsvw.exe	64
PID 2836 wrote to memory of 2936	2836	mscorsvw.exe	64
PID 2836 wrote to memory of 1532	2836	mscorsvw.exe	65
PID 2836 wrote to memory of 1532	2836	mscorsvw.exe	65
PID 2836 wrote to memory of 1532	2836	mscorsvw.exe	65
PID 2836 wrote to memory of 1532	2836	mscorsvw.exe	65
PID 1920 wrote to memory of 2412	1920	SearchIndexer.exe	66
PID 1920 wrote to memory of 2412	1920	SearchIndexer.exe	66
PID 1920 wrote to memory of 2412	1920	SearchIndexer.exe	66
PID 2836 wrote to memory of 3016	2836	mscorsvw.exe	67
PID 2836 wrote to memory of 3016	2836	mscorsvw.exe	67
PID 2836 wrote to memory of 3016	2836	mscorsvw.exe	67
PID 2836 wrote to memory of 3016	2836	mscorsvw.exe	67
PID 2836 wrote to memory of 2220	2836	mscorsvw.exe	68
PID 2836 wrote to memory of 2220	2836	mscorsvw.exe	68
PID 2836 wrote to memory of 2220	2836	mscorsvw.exe	68
PID 2836 wrote to memory of 2220	2836	mscorsvw.exe	68
PID 2836 wrote to memory of 1864	2836	mscorsvw.exe	69
PID 2836 wrote to memory of 1864	2836	mscorsvw.exe	69
PID 2836 wrote to memory of 1864	2836	mscorsvw.exe	69
PID 2836 wrote to memory of 1864	2836	mscorsvw.exe	69
PID 2836 wrote to memory of 2084	2836	mscorsvw.exe	70
PID 2836 wrote to memory of 2084	2836	mscorsvw.exe	70
PID 2836 wrote to memory of 2084	2836	mscorsvw.exe	70
PID 2836 wrote to memory of 2084	2836	mscorsvw.exe	70
PID 2836 wrote to memory of 1480	2836	mscorsvw.exe	71
PID 2836 wrote to memory of 1480	2836	mscorsvw.exe	71
PID 2836 wrote to memory of 1480	2836	mscorsvw.exe	71
PID 2836 wrote to memory of 1480	2836	mscorsvw.exe	71
PID 2836 wrote to memory of 2000	2836	mscorsvw.exe	72
PID 2836 wrote to memory of 2000	2836	mscorsvw.exe	72
PID 2836 wrote to memory of 2000	2836	mscorsvw.exe	72
PID 2836 wrote to memory of 2000	2836	mscorsvw.exe	72
PID 2836 wrote to memory of 1960	2836	mscorsvw.exe	73
PID 2836 wrote to memory of 1960	2836	mscorsvw.exe	73
PID 2836 wrote to memory of 1960	2836	mscorsvw.exe	73
PID 2836 wrote to memory of 1960	2836	mscorsvw.exe	73
PID 2836 wrote to memory of 1576	2836	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1f8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 1ac -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ac -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 24c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 274 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f8 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 268 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 1f8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 29c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f8 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1e4 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 254 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b0 -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 274 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1bc -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1dc -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 268 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 230 -NGENProcess 284 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1bc -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 288 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 290 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 230 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2068

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2776

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:616

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:996

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1368
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2676
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e6c3116c761c8ba3834149e73aeb1904

SHA1
6f910bd2e7394b2ff4905f62f36ec0b45b0c0d06

SHA256
2746087fe8be0dd3ec448d64a6fa38f7b756001fad11823a3dc1b5a7e558f2e4

SHA512
096fbd5b62f7e13a4ed378252fd4191a81a303192788043ea9633312ccdd57697b7a5dd332c1d2cd66341280ed9c72db73ad6ee673369f9c037b5b67184d0797

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
18.3MB

MD5
e85b8a8123abff46fd8dbb9b649d96a6

SHA1
b9bf4589fb3b70cccd9905a4c695a7e0dd4fdd6b

SHA256
3bd4dc73bdd609126f89e88f8e893f2da0ff1a3c4b70a232b20bb3e30cc1cd58

SHA512
ed2d98b6bf54c246ef702f4916abfa79265df5d629fea4e7907ec3e781aeeb59bcc8a27e48cd8db2328a46881cd33e5128ce35482e199604aeb8656c644dd3cc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ff97f4aae2e3acf1ef46979465c76dd0

SHA1
92f0585de48b863abcb23608f338dcc6bf96ba5a

SHA256
507e38c4ef19e6b87b2b2ab8bccc60a3b3e1b9e0f8a37f2314b3197004364b66

SHA512
6b58f82ad9788225bd95e1c557eab420bda2c3b60fba30e8b72e64fdabb38eca363b4c2467274803ffab732a92266ad5f2afdf5da4cd1ed67fb0ba1e9035f750

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
2b2506f3b720f38f6e9a32a950355d43

SHA1
db2eb0eff29e29cc1c3915960a95873cc6637b8c

SHA256
cd33637996259e28e5e72699af97ba855ec888aabc9cd461d0dd6ac95867f3a6

SHA512
916e3fdef09a48cd2824fd0ba0c247e64e2147bd67e222795a9d5b9bb86aba96dba9c5559e7637aa531abf45176fc5c8b6688ccb731150f43e70568a46aee455

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8b76e0d7944aaff57c5046885bce93c6

SHA1
7b5eda5dc42b9912830612fd16854ec9641abcb4

SHA256
3444a1f7e782e519b6570ec5b95700d3005b6cd8f22d9508d627c8294af95d1a

SHA512
94b00382c00237e54605387d68aaa659237752874c0933f85376da409030265135a6b1ded7c6efca0628650e55df4d23f660b8f57101ffc7496bfb59e9521c36

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c6c09716cabf2a8492f03b877b2d2a07

SHA1
cb6e3ddb0ff946d8fa0345fa5381ead2b3eccadb

SHA256
80d1e6033351021783f6284a4abb80913d1e82c09d19ede91e9ae4f367dce84e

SHA512
a6f2c0c70820957de373e6546ceca809c8997cff233434b28cfaf80352a81628b7f6c6ea18f7dc5c0729b071507bcf92d6843a54c0d29c609a28525152d825fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DKWXG404URLEYMY9EY14.temp

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
afcfcdd1c63b09b3d1864665ac4a2fed

SHA1
1ad0ef84c26aa621bfad807029c94725cdeee8aa

SHA256
8455a4c0f64285f0eb5b543345fe5f8ffd6b4da35b0059b0a8ed7c3ca6a948d7

SHA512
e233f52b939fa2d2c67294df06dc3d680ddcce63c660ba48ebf54eebea3c1d8fc3c3486878d15c8bf43bbda698627fe756dd28e42ca29dce79892806a57e1898

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b96984716b66382676aa6ac3324c4815

SHA1
33469079ee257b488726b59da101ee7b54789239

SHA256
4948e3136a4b4da2ccf80f12f28ceedb79f43461b8ae17fa8d57d78c697165d1

SHA512
0c79ed125a1e3311157c2b27f9aeb5f2604aa2db3dab4abdaece04cb00f68b8f81ec72bed76e44c53cc513dad4481c1ae715216fa73870242b38e955c898c877

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
47f89242c0ad86f6a4e8189ecf1baa6c

SHA1
827181081b28400fce4ee4611283d083f37839f1

SHA256
3998bd9ed00de8b25ff4c2b02fab5898d8b129550e4891ddbb2950d66f965a42

SHA512
100b2ba57e1b39da806780420e7ef6c9749a2c66926e0ce636b283a3982277f8518bf301240432a2a19a97a9be21ebcc078e714b9b959007d2f1f2c7de19983d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5a002e8d641a969f1f641dfddb2588b9

SHA1
85327e5762bc7a5b4b2cda7fdefacd3a04b4daf4

SHA256
e9493d6c550955d10ad6f287dc0773400d5ae5def9eaf7c45de2195771847131

SHA512
9a63dd8f4761df099a192c85331690187c59eaa4a2ea7c780f40b5d9d133a95313d8ac52e03ed9c40a1076efa076f73df04d3a2550d7f0c1c4cde37f2c7dec2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
59ab7616f944451c223d336d478b2aef

SHA1
aff6d0ea00ef2611da50d0decfd34734016b6cb4

SHA256
1e50c815fc778cfbfc8a492964db3f465d013e46894a07d68cb1a8dd0117c333

SHA512
b6176eac7a28ccbc54dc92cd0e96733911a0b9ecc560641c4a5f82b871d5ce8df5bf5c507d2e618a0e168658f3308e611e822c3c038185db83e0c27ab1805837

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8bc9f14158f46cbca81483638a4c581c

SHA1
4559150711930507aadbdd89c0ca1ae1937cf6d6

SHA256
4dcd3ae3eea6837b105da3c70f776197a10b17909083183071e71d8903881042

SHA512
8fe7174991f9d20090329d1cba8c714050bb341d25eeb1aecf75da8077f24aae31cb338ee3fef76e56a34879a61e8a065d48c450ffd373cbfb94f084561081bd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ed7240f320441e8de1e2636737f461a3

SHA1
6fe3a83214ec28a337e46aa2ad19a2b21536351f

SHA256
8449a6662f819f4b3b9c06f1f56c2903d7a35cc1bca37ac60f13761104735d4b

SHA512
90018dfd20277e112dbb2c8d0f36effb2c33885efccd98c80cf26c8bc0ea7f1d5bf9550750da5f53b5007c30851ec4535874e510426e1074bb76aa2cf3d0007d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14ecda28594ba97b51c46f11115af9cf

SHA1
e657da78e8d655f81c1388ad03d56689d73ff5d0

SHA256
9b944c9572a3b2f306ed453fc517a4afc1ca1ef3d9e503312a1ebe453f0097f6

SHA512
2f66e3ca1daa7c1b20b314ba48b741d635a1fd7e97cffe882854c8eadb31a38b60a1edee03cb89815106044bb38663ef9d4a0fa60fecf4dbe6c7e1593bb9491f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
4c75f3ee24018e165397e03254eeab86

SHA1
c24159372b9813794916d455bdf98b716f0aa330

SHA256
af26f0e9705661137cb576b72ca813e38d9a1a22c3047e9d09f5a1cea21ae065

SHA512
7c5a07671a94cc55f69a5be2d00c336ef7ae97ea0d259f5c6e31220e45aacbcfd23ffc34db61b28dcab9c65b3d13203261093e7d5e823d61cadb423889bd6141

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
45063cf919010448c0dbd2891aaba155

SHA1
df51c367ed4b85483729f7e7e92562f38c901c72

SHA256
4af28c3d21f46214615680ad896c1a6dd7e27a09be0079becfe58d469a8cfb9b

SHA512
486bd72e947cc851408d870a652394a2935f2cf8d24e9c265aa7bac995c22405753633d3734f89b41ae7ae17f81fbb958db369c5e7635712f7573a2896fdeae3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
94f312b7b62cc155710f1a9f7dd978c5

SHA1
fb3dfa843b482217fd405083c6edc81189a4e0b5

SHA256
e3d629c65eb5baa0007760dc1132dbc64835fbd2a4fb30826057ed37223ee4f3

SHA512
f4595a9e0f9e9504a81cc9d30020020c71577a14c60846ce21922cd883ad1189bf135dac10b58920d6d6bc8c26f29e20872fb83e20383a1a2cce6f171f3c92e6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
87729fb57310e51b1667f3dca5230459

SHA1
bfe6dfc40decb9119b7b2c66162e0fe03f547ea3

SHA256
d4759f8007323dde3c73dfe23350bdd7cab85ae04f9e1d80291216de1b34b19a

SHA512
e76311c27cdddc3591dce8e728a71c37bbbab8d6719e0ab11aded926f26755821e88990911dfd0d0c5f67f547cf6fdaa03acdcabf93df006753744f49048bea6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a99262affb7494a8ad8cb98e58b80b80

SHA1
b96283735efb8dc184813dd92391307bf4ec62a5

SHA256
60e72267fae9953d2b923674304623a814594fd2403c14aef0efbc3fbdd272a7

SHA512
e55a73c72b677f2c392019c294371f4316b73e61db9a751f804782049765ce6344e66eee5b21388203593b89406ebda431b423e9e5b383c4a73427362f2470ac

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d208b30823f649fe44de86a49d6ba498

SHA1
36ae33c46276fd3d8978e6986752e618c874afda

SHA256
28ef3f747edd11a86e2a471ca87df8eb56f958e552ca74307d729f5798db4d94

SHA512
c7ef02b4f7c07c3dc3d2d34bd0ede40e0e7eb6c5e221e782da0acaa67dab30d5c59014ab2714a94d89028117d0337da74d7ca8cd328558371bd41fe965f707c1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
512KB

MD5
f3fa12ab2c6f78405eb9c2a2fcb01b52

SHA1
85916499178676184dde8b200d63e899023859c6

SHA256
299dd989298b5ea818c3098f695b4c156048febfbc77211770c7ffe881cff904

SHA512
6d05b78a16584a9d33056414990311d71597a5452203b2e93863e05e8901c84ec7337865fa9e0a0975aba691384d2b8e46e96e9632fd147df21dfe1d10259de3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
280f87a110b28c254724919c399fe797

SHA1
2346343ae0e33bd11053ebf066d8475b8a1c0606

SHA256
441e58ca3d9252568d66ee511671cceb447af8614b79133f4504c7b006d9ead1

SHA512
2096736df7e8931b93a9f1c1087c3926dc266ce69a2a3b6320954832d377af7d62996d1cbd78aeb90016a5c9dd05b7068e715a7f5a9f3d43f8a3d54002e557de

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5342bc72002ea6a1614160aed260362d

SHA1
f163b21f9931f67f34a79f7e1411f4a25e81ea28

SHA256
c702e855033c4a0342e4efe333977858417eb3b08118ace779cfa6e6101c92c3

SHA512
558acf238e423bd942d312eb7a44c134109fc490291792fa555ee21c3ec100adeef054ca27df5d6f9a54d99dbfc0d9fac8fc7838e40e373058df2db6cbbe3fc9

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0103f562a75833fe2c2f6b52d0509232

SHA1
029b2ffccfd3efcbdede4d644f355cc3b513686b

SHA256
cc293ad47d845bcdb08e5174951ef1859049c89eb45e764ff0bc303fd021977b

SHA512
9e605d3e0d53a6a754902d9b8d446b0fb0ed6a841d856c34f4592e3e25f11b7099cac09aaba9498d72324c4a48df7fb618cf3887ef7946e098c19c4670616a1f

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
72b04e43cb2d08a1614956d0a866d4bf

SHA1
6d5c6568bf9a1f4a2a9adb389b16350869526594

SHA256
6c3c2fca28bafd4d7b0b3717fc1cf343e385f6f7d72e61ca0f772cdcf750bd8a

SHA512
9865c4d657cda991497f0e89ad6951df58daa0fce654cc8677fbe843fe5d2fcd0505c932750bd256927da50c812369802ce4c0f552d922e4c547f8a1b2c741e8

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
471e9d0783a78dca1893afd074f283d8

SHA1
7ead305b4ea793e8d858090298470070d1304c40

SHA256
18f6eeebd4494e463a0fd485bc596d894d2021f7c75266297355c972966e3ab8

SHA512
7894715d4bec57ed0f93833f263e401f142b8d8101f5fe69da73459c39a46737a5614d4e8dd6355f25a8b700def53829aa732b16674ed0ec55c6dd46eff5b82c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3e50c41166bc0119e7a3663192d9898e

SHA1
85e300739d5ad4687c29730a1be4a79d703f5fde

SHA256
7597af5eb3b7660395001fb55f96a4bc003ddf630fb2c33bf7c89af6a8497f0a

SHA512
b47decd237f4cf0a036d08b53493aa6621f22b511844036c61510cd1d99bae73748f8a3c7266f0477d08815865f5f6c03a1ff5574bd3dddada0ff79f67fd871a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2d8d0ba28621d6abb6dc58c0ec04911b

SHA1
36fca28e065a62063282727949f99767c1ff7cbd

SHA256
05cd662c34b5c79e320471be96d7bc8d56a4e08fdac4f5bcdee279fdab4ef89a

SHA512
2f5c563783f6f372c548d7403b935efd68a99274bfd287dc97edbc1535fc0246b911f2e62ed6575ac1cc280a3d92270fd0c10dbd2db0cf32a0459fb5e8947927

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.3MB

MD5
dbbe15a1266126721214c3c7523dae2c

SHA1
abda640f68609c9618b9df071c694c4ddd908d1c

SHA256
bd1846b46f93f67ced3d86d8e80dfa201a9b9f7c194da6e69d22abb141823f94

SHA512
70d8b73e591f2c64990e72fbbcb324605cc99244cb86b6e03180ba432949e1abb0019e02444dd651d21dbae28a0010481a381ec438d6d7abc5e0acceac0fd00a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ce36ab59b5baaa5616d6e9429f22a3ad

SHA1
b86fda40af08cb23a6930d9edbf6739f4c81cae6

SHA256
49b09711ced4eeeeb4639fbb74bd608dcc04b58f0332a5739b0271e6fa2cc4de

SHA512
8e84149e860d28cec6aaf6f81bb58c64e996cfd062dc8fb5036ea9be302a002040c5724d0108c0318736efddf8f014b4ae292656dc7fe000541825a37086af56

Download Submit
\Windows\ehome\ehsched.exe

Filesize
896KB

MD5
92d047b79b3a662c4126872e32aa3715

SHA1
fa1ca958f4e243d6f997bd0d2d4ef564bc327044

SHA256
eff233f0187157ab93d75a52b37d9de1bc98d129f3704da9d591dfa3009802d6

SHA512
a18825260ce73a49e39643239d0cf2b6d64d89e6344295c6da43761347cb8c116751688b5d2147a30112fc613d2544583059f06d29a64646e4e2e65e1dde3f9e

Download Submit
memory/616-106-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/616-129-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/616-240-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/616-108-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/696-262-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/856-245-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/996-217-0x0000000000410000-0x0000000000476000-memory.dmp

Filesize
408KB

Download
memory/996-225-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/1196-228-0x0000000001000000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/1496-72-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1496-79-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1496-160-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1496-73-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1620-27-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1620-34-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1620-26-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1620-105-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1648-283-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1648-279-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1676-233-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-215-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1676-220-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-235-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1676-213-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1676-234-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1716-82-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1716-39-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1720-248-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1720-140-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1720-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1720-155-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1724-250-0x0000000100000000-0x0000000100142000-memory.dmp

Filesize
1.3MB

Download
memory/1740-218-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1740-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1740-241-0x0000000074288000-0x000000007429D000-memory.dmp

Filesize
84KB

Download
memory/1740-226-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1892-211-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2144-254-0x0000000100000000-0x00000001001C0000-memory.dmp

Filesize
1.8MB

Download
memory/2204-81-0x0000000140000000-0x0000000140A22000-memory.dmp

Filesize
10.1MB

Download
memory/2204-8-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2204-2-0x0000000140000000-0x0000000140A22000-memory.dmp

Filesize
10.1MB

Download
memory/2204-0-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2360-285-0x000007FEF4210000-0x000007FEF4BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-196-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/2360-219-0x000007FEF4210000-0x000007FEF4BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-209-0x000007FEF4210000-0x000007FEF4BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-256-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/2360-231-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/2360-258-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/2360-260-0x000007FEF4210000-0x000007FEF4BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-224-0x0000000000640000-0x000000000079E000-memory.dmp

Filesize
1.4MB

Download
memory/2428-214-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2468-46-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2468-84-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2776-127-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2776-126-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2776-227-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2776-91-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2776-98-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2776-92-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2776-134-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2836-61-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2836-55-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2836-141-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2836-54-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2900-212-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2900-223-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2912-154-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2912-187-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2912-186-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2912-192-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-144-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2912-272-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-191-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3052-100-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/3052-14-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download